Endpoint Encryption

 View Only
Back to discussions
Expand all | Collapse all

Modifying "Key Usage" Flags on Existing ADKs

  • 1.  Modifying "Key Usage" Flags on Existing ADKs

    Posted Feb 20, 2013 05:34 PM

    Is there a straightforward way to modify the "Key Usage" flags of an existing ADK?

    Backstory:

    My organization created its ADKs when we were only licensed for PGP Whole Disk Encryption, and no other client applications. Later on we added NetShare support in our environment, as well.

    Given that our license only allowed WDE, and not NetShare, when we created our ADKs, the NetShare key usage flags were not enabled on these ADKs, nor did those flags "turn on" when the license for NetShare was applied. This wasn't an issue until PGP Desktop 10.2.0 MP5 (Build 2599) was released. The release notes mention the following fix:

    Resolved an issue so that a user can no longer use PGP NetShare to protect a folder if an ADK does not include the PGP NetShare usage flag. [2716244]

    When we contacted Symantec support we were told that prior to this release PGP NetShare would allow the encryption of files if the user's key was enabled for NetShare, but it would silently fail to encrypt the files with the ADKs where the NetShare key usage flag was not present. (The other support tickets we opened previously about not being able to decrypt files with ADKs started to make sense at this point). We never knew the key usage thing was an issue because PGP NetShare was silently failing.

    First Symantec support asked, and we declined, to send them our ADKs and their associated passwords. Instead, this was the procedure I was given to fix the key usage flag:

    1.     Open the .asc keypair in Notepad, copy ONLY the private key part. Open a standalone version of PGP Desktop, make sure that the key is not yet in the keyring, then paste the private key part into PGP Desktop.

    2.     When looking at the key you will notice that the self-signature is missing. To fix this, create a new temporary UserID, delete the old UserID, then add the old UserID again, then delete the temporary UserID.

    3.     Now export the keypair from PGP Desktop or use PGP commandline on the same machine to continue adding the usage flags.

    4.     With PGP commandline run the following commands:

    • pgp --list-key-details "[keyName]"
      to identify the keyID and the keyID of the encryption subkey
    • pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag encrypt [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --key-flag sign [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --key-flag product-netshare [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --key-flag product-zip [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --key-flag product-messaging [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --key-flag product-wde [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-netshare [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-zip [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-messaging [--passphrase passphrase-for-key]
    • pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-wde [--passphrase passphrase-for-key]
    • pgp --set-preferred-ciphers [keyID] --aes256 1 --cast5 2 --3des 3 --twofish 4 --aes128 5 --aes192 6 [--passphrase passphrase-for-key]
    • pgp --set-preferred-hashes [keyID] --sha256 1 --sha384 2 --sha512 3 [--passphrase passphrase-for-key]
    • pgp --set-preferred-compression-algorithms [keyID] --zlib 1 --bzip2 2 --zip 3 [--passphrase passphrase-for-key]

    Now you can export the modified key.

    pgp --export-key-pair [keyID] --overwrite-remove

     

    Is this really the best way to accomplish this? Will this actually fix the issue? Is it really a feasible solution to ask me to install a trial version of PGP Command Line in an attempt to recover from an undocumented "gotcha"? Couldn't PGP/Symantec have made an ADK/WDE Admin creation tool that allows all functionality, regardless of license? Given these failures in the documention shouldn't there be a tool to "fix" keys with incorrect key usage flags?

    I've read in the ADK Guidelines document, and it doesn't mention futuring-proofing one's ADKs by enabling all the features. Other documents ( like http://www.symantec.com/docs/HOWTO41980 and http://www.symantec.com/docs/TECH149696 ) advise against modying ADKs and basically state that once you've set an ADK it's done and it can't be modified/replaced without pain. (I would post content from those articles if the Symantec support site wasn't going through its common "Gateway Timeout" errors at the moment.)

    Is there anything else I can try?